In this article, we'll look at the new support for self-encrypting drives (SEDs) and the new Network Unlock feature that allows for automatic unlocking of BitLocker-protected drives when the computer is connected to the wired corporate network.

BitLocker Drive Encryption has come a long way, since its introduction in Windows Vista in 2006. Each iteration has offered improvements, and the version of BitLocker in Windows Server 2012 and Windows 8 client is a robust and full featured option for protecting computers from attacks to which a system is vulnerable when the attacker has physical possession. This is particularly important for the mobile devices that have become the computing "weapon of choice" for many of today's on-the-go business users.

Here's the problem: If a laptop containing sensitive information and/or remote connections (such as VPN connections) to the corporate network are lost or stolen, an unauthorized person may be able to access the information on the drive even without knowing or cracking the user's logon password. He might remove the hard drive from the system and put it into another computer that already has an OS installed, install another OS in a dual boot configuration, or use an OS that can be booted from an optical drive or USB drive.

To help protect against access to data by an unauthorized person who has obtained physical access to the computer, you can encrypt the data. By going further and encrypting the operating system files as well, you ensure that the unauthorized person won't be able to boot the system and gain access that way. File level encryption such as Microsoft's Encrypting File System (EFS) can be used to encrypt data but does not encrypt the OS files. The solution is to encrypt the entire drive or volume.

The Microsoft solution

Microsoft's answer to full drive encryption is BitLocker. When it was initially released as part of Windows Vista, it could be used to encrypt only the partition on which the operating system was installed.

Windows 7 took BitLocker to the next level, with a new feature called BitLocker To Go, which added the ability to use BitLocker encryption on removable drives, including USB flash drives, flash cards and USB hard drives.

With Windows 8 and Windows Server 2012, BitLocker has really come into its own. Microsoft added a number of important enhancements that make BitLocker easier to deploy and use in more circumstances than ever before. In addition, now that the number of Windows client editions has been reduced to three (Windows 8, Windows 8 Pro and Windows 8 RT), the Pro version includes BitLocker and BitLocker To Go.

New features: SED Support

In previous versions of BitLocker, the technology did not support the use of a hardware-encrypted hard drive as the boot drive. This has changed, and now you can use drives with built-in hardware encryption (often called Self-encrypting drives or SEDs). A wide variety of drive types are supported, including IDE, ATA, SATA, eSATA, SAS, and SCSI, as well as IEEE 1394 and USB. Windows Server 2012 takes it a step further and supports BitLocker on Fiber Channel and iSCSI drives as well. You can also use BitLocker with hardware-based RAID arrays (but not software-based RAID).

New features: Network Unlock

Another new feature in the Windows 8 and Server 2012 version of BitLocker is network unlock. This feature is aimed at enterprise environments, specifically at systems that belong to a Windows domain. What it does is automatically unlock BitLocker-protected drives when the computer is rebooted if it is connected to the corporate network (this must be a wired connection, not a wi-fi or remote connection).

This avoids the problem of users forgetting their PINs or USB keys, when they're connected to the trusted network (the assumption being that if they are physically on premises with Ethernet plugged in, they are probably the authorized users). It also makes it easier to roll out patches and other updates to unattended desktops that are BitLocker-protected. Of course this is an optional configuration; for better security, organizations can still require that the PIN be entered (and/or USB key inserted) to access the protected drives even when on the corporate network.

Network unlock prerequisites

There are some prerequisites before you can implement network unlock. The BitLocker-protected system must be using UEFI firmware (not legacy BIOS) and it needs to have a DHCP driver in the firmware. The network must have a Windows Server 2012 server operating in the WDS (Windows Deployment Services) role and also a DHCP server that is separate from the WDS server (and separate from the domain controller). Group policy must be configured for network unlock, and the network unlock feature itself must be installed on the Windows Server 2012 server. You do this through Server Manager or with PowerShell; the feature name is BitLocker Network Unlock.Network unlock uses public key cryptography and a network key that is stored on the system drive.

How network unlock works

The client computer's boot manager detects the network unlock key protector. Key protectors are the means by which BitLocker keys are protected, such as a password or PIN, a key file, a smart card, certificate, etc. When the client detects this protector, it uses DHCP (hence the requirement for a DHCP drive in UEFI) to get an IPv4 IP address. Then it sends out a DHCP request with the encrypted network key and session key.

The server has to have a 2048 bit RSA key pair and the clients need to have the public key. The certificate is deployed through the Group Policy Editor on the domain controller. The WDS server decrypts the request with the RSA private key. Then it sends the network key back, encrypted with the session key (also using DHCP).

What happens if the WDS server isn't available or doesn't return the proper key? In that case, the user will be prompted to use the protector that it's configured to use when not on the corporate network (e.g., TPM + PIN). The user will be able to unlock the BitLocker-protected drive in the standard way.

Network unlock deployment, step by step

Here are the steps involved in setting up network unlock for a Windows domain:

1.Install the WDS Server role via Server Manager or PowerShell. The command for PowerShell is Install-WindowsFeature WDS-Deployment

2.In Services Management or via PowerShell, ensure that the WDS service is running. The PowerShell command is Get-Service WDSServer

8.Copy the .cer file to the domain controller and create a new Group Policy to enable the "Allow network unlock at startup" policy.

9.Deploy the public certificate to the client computers via Group Policy.

10. Set Group Policy to "Require additional authentication at startup" and select "Require Startup PIN with TPM."

11. Create a certificate template for Network Unlock, which the Active Directory CA can use to create and issue the Network Unlock certificates. This is an involved process that we'll cover in a later article.

Summary

There have been a number of improvements to BitLocker Drive Encryption in Windows 8 and Windows Server 2012. In Part 1 of this article, we looked at the new support for self-encrypting drives (SEDs) and the new Network Unlock feature that allows for automatic unlocking of BitLocker-protected drives when the computer is connected to the wired corporate network. In Part 2, we'll take a look at another enterprise-level new feature: support for BitLocker on cluster shared volumes.